Re: is this webpage secure? - Security

This is a discussion on Re: is this webpage secure? - Security ; Dr Balwinder Singh Dheeman wrote:
> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this
>> login page is secure, that the form login info (username, password) is
>> secure when ...

Re: is this webpage secure?

Dr Balwinder Singh Dheeman wrote:
> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this
>> login page is secure, that the form login info (username, password) is
>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>> says the page is not encrypted, not secure. Can someone clarify how such
>> a login page can securely transmit the login info? Link to login page is
>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http via
> ssl, port 443).

Just to clarify, the login form is built this way...

method="post" ... >

doLogin.asp is essentially a bit of JavaScript that does this among other
things...

form.action = 'https://lsc.ims.mnscu.edu';
[...]
form.submit();

A secure connection is negotiated before any form data is submitted, so
nothing but the form and the login script is sent in the clear, to the
site's visitor. No names or passwords or anything go back the other way
unencrypted.

FWIW, I did packet capture a (failed) session just to make sure nothing
was broken.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208

Re: is this webpage secure?

Jeffrey F. Bloss wrote:
> Dr Balwinder Singh Dheeman wrote:
>> Proteus wrote:
>>> I am told by people in charge at the campus where I teach that this
>>> login page is secure, that the form login info (username, password) is
>>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>>> says the page is not encrypted, not secure. Can someone clarify how such
>>> a login page can securely transmit the login info? Link to login page is
>>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
> Just to clarify, the login form is built this way...
>
>
> method="post" ... >
>
> doLogin.asp is essentially a bit of JavaScript that does this among other
> things...
>
> form.action = 'https://lsc.ims.mnscu.edu';
> [...]
> form.submit();
>
> A secure connection is negotiated before any form data is submitted, so
> nothing but the form and the login script is sent in the clear, to the
> site's visitor. No names or passwords or anything go back the other way
> unencrypted.

Thank you for the explanation, and thanks to Proteus for
brining it up. This is something I've wondered about for
a long time.

I used snort to capture the session, and saw that port 443
quickly came into play, and saw something resembling a
certificate go past ("$Equifax Secure Certificate Authority0...0504211"),
and noted that my "bait" username and password did not
appear in the clear.